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@ In a modular multiplication circuit which op>- 
erates under the conditions 0<N<2", O^A.B 
< 2N, R = 2"^2^ a first multiplier performs 
multiplication between input values A and B. A 
second multiplier perfonns multiplication be- 
tween the output of the first multiplier and 
[-(N-' mod R)], which is decided by set par- 
ameters N and R, and outputs M. A third multip- 
lier perfonms multiplication between the output 
M and the set parameter N and outputs tiie 
product M X N. An adder adds the output of the 
first multiplier and the output of the third mul- 
tiplier, and a shift register shifts the sum left- 
ward by n+2 bits. Thus, an output P = (A x B + 
M X N)/R is produced. 
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BACKGROUND OF THE INVENTION 

This Invention relates to an ncryption device for 
performing encoded communlcati n in home bank- 
ing, fanm banking and electronic mail in a computer 
network and in various communication services such 
as electronic conferencing. Furthermore, the inven- 
tion relates to an encryption device for performing en- 
crypted conrimunicatton using an encryption method 
that employs modular multiplication (quadratic resid- 
ual ciphers. RSA ciphers, EIGamal ciphers, etc.). a 
key distribution method (DH-type key distribution 
method. ID-based key distribution method, etc.), a 
zero-knowledge authentication system, etc. 

Further, the invention relates to a communication 
method and apparatus which employ random-nunrv 
ber generation necessary in encrypted communica- 
tion, particularly data concealment, originator/termi- 
nator authentication, distribution of encryption key 
and a zero- knowledge authentication protocol, etc. 
The invention relates also to a method and apparatus 
for random-number generation as necessary in a 
Monte Carlo simulation, by way of example. 

The importance of cryptographic techniques to 
protect the content of data has grown with the rapid 
advances that have recently been made in informa- 
tion communication systems using computer net- 
works. In particular, high-speed encryption is becom- 
ing essential as computer networks are being devel- 
oped for higher speed and larger volume. 

Among the foregoing, modular multiplication Is a 
particularly important operation used in various cryp- 
tographic techniques. Various methods of encryption 
using nrK)dular multiplication will now be described. 

Two methods of encryption which are well known 
are secret-key cryptosystem and public- key crypto- 
system. 

In public-key cryptosystem. the encryption and 
decryption keys differ. The encryption key is known 
publidy but the decryption key is held in secrecy by 
the receiving party and it is difficult to infer the de- 
cryption key from the publicly disclosed encryption 
key. Ciphers based upon modular multiplication, such 
as RSA ciphers and EIGamal ciphers, are used widely 
in public-key cryptosystem. Attention is being given to 
the fact that these ciphers have an application called 
authentication in addition to a secret communication 
function. Authentication, which is a function for inves- 
tigating whether a party transmitting communication 
text is con-ect or not, is also referred to as digital sig- 
nature. In digital signature v^ich uses these ciphers, 
secret signatures known only to the transmitting par- 
ty are possible and cannot be forged. Accordingly, 
digital signature is secure and often finds use as a 
form of authentication communication in financial fa- 
cilities. 

In secret-k y cryptosystem, in which the same 
key is shared in secrecy by both the sending and re- 



ceiving parties, us is mad of random numbers re- 
ferred to as quadratk: residues obtained from an op- 
eration employed in modular multiplication. 

The above-m nti ned public-key cryptosyst m 

5 and secret- key cryptosystem methods are often used 
together with a key-delivery system or key distribu- 
tion system. A well known example of the key-delivery 
system is DH-type key delivery by Diffie and Hell- 
man. These systems also implement operations us- 

10 ing modular multiplication. Furthermore, an ID-based 
key distribution method is attracting attention as a 
key distribution method. Modular multiplication is 
used in various key distribution methods. 

In addition, zero-knowledge authentication is 

15 available as an encryption technique. This is a meth- 
od in which one party convinces another party of the 
fact that it possesses certain knowledge without let- 
ting the other party know of the content of the infor- 
mation. 

20 The details of the foregoing are described in 

"Modern Cryptographic Theory" [DenshiJoho Tsusb- 
in Gakkai {^9SS)l by Shinichi Ikeno and Kenji Koya- 
ma, and "Cryptography and Information Security", 
Shokodo (1990)], by Shigeo Tsujii and Masao Kasa- 

25 hara. 

It should be appreciated from the foregoing that 
if an efficient modular multiplication circuit and meth- 
od can be realized, this will make it possible to imple- 
ment a variety of encryption systems efficiently. 

30 A technique referred to as the Montgomery meth- 

od (Montgomery. P.L: "Modulator Multiplication with- 
out Trial Division". Math, of Computation, Vol. 44. 
1985. pp. 519 * 521) is known as a method of per- 
forming modular multiplication of P = A B R-^ mod N 

35 (where R and N are relatively prime integers) The 
Montgomery method makes it possible to perform 
modular multiplication without dh^iston. This will now 
be described. 

40 [Description of Montgomery Method] 

A theorem derived by Montgomery is as follows: 
"When N and R are relatively prime integers and N* = 
-N-'" mod R holds, arbitrary integers T, (T+M-N)/R sat- 
45 isfy the following relationship: 

(T + M.N)/R = T.R-1 mod N (A - 1) 
where M = T-N* mod R holds. 

In accordance with the Montgomery method, 
therefore, in a case where modular multiplication: P = 
50 A-B R-i mod N is to be executed, this can be carried 
out in the manner 

P = A B R-i mod N = (A*B + M.N)/R (A - 2) 
where 

M = ABN'modR (A -3) 
55 using an integer R which is prim with respect to N. 

In a case where N is an odd number, R is a prime 
integer with respect to N if R = 2^ (wher r is any inte- 
ger) holds. In this case, division by R entails a bit shift 
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only and, hence, the operation of Equatton (A-2) can 
be executed in sinnple fashion by nnultipttcation and 
addition. 

With the Montgomery nrteth d, howev r, cases 
arise in which the range of output values of nnodular 
multiplication becomes larger than the range of input 
values. For example, letting the ranges of the values 
of inputs A and B be expressed by 
O^A.B<N 

the operation of the Montgomery method indicated by 
Equations (A-2). {A-3) 

P = (A B M N)/R = (C + M) N/R 

where 

C = AB/N 

is executed. 

If C+M > R holds in this case, then (C+M)/R > 1 
will hold and we will have 

P = (A-B + M.N)/R > N 
That is, there will be cases in which a value P>N is 
outputted with respect to inputs of 0^ B<N. 

As a consequence, it is difficult to repeat modular 
multiplication by a circuit or method which imple- 
ments the Montgomery method. Further, the opera- 
tion of modular multiplication generally used in cryp- 
tographic techniques is 

Q = A B mod N 
In order to realize such modular multiplication, it is 
necessary to repeat the Montgomery method a plur- 
ality of times. This makes it difficult to execute this 
operation efficiently using the Montgomery method. 

Further, with regard to a sequence of random 
numbers used in encrypted communication, it is re- 
quired that random numbers generated after a certain 
point in time not be readily predictable from a se- 
quence of random numbers generated up to this point 
in time. In the literature "Primality and Cryptography" 
(by Evangelos Kranakis, published by John Wiley & 
Sons, pp. 108 - 137), a sequence of pseudorandom 
numbers satisfying the above-mentioned require- 
ment is described. 

Specifically, if we let a sequence of pseudoran- 
dom numbers be represented by bi. b2, *— . a bit b| is 
given by 

Xt^i = X,2nKJdN{i = 0, 1.2, ") (B-1) 
b| = lsbpCi)(i = 1.2...) (B-2) 
where Xo is an initial value given arbitrarily and p, q 
are prime numbers in which p s q s 3 (mod 4) holds 
(it should be noted that N = p-q holds and Isb repre- 
sents least significant bit). 

A different method of generating a sequence of 
pseudorandom numbers is described in the literature 
"Cryptography and Information Security" (by Shigeo 
Tsujti and Masao Kasahara. published by Shokodo, 
pp. 88). 

Specifically, if we let a sequence of pseudoran- 
dom numbers be represented by b^ b2, a bit b| is 
given by 



X, ♦ 1 = x,« mod N (i = 0, 1, 2. -•) (B - 3) 
b, = lsb(xj(i = 1,2. ..) (B-4) 
where Xo is an initial value given arbitrarily p. q are 
prime numbers and e is a relatively prime number 
5 with respect to L (L is a least common multiple of p-1 
and q-1). N = p q holds and Isb represents least sig- 
nificant bit 

It is known that obtaining b^i solely from the se- 
quence of pseudorandom numbers b^. b2. - b| gen- 

10 erated by these methods would require an amount of 
labor tantamount to that needed to factorize N. In 
other words, it is known that the amount of computa- 
tion for obtaining pseudorandom numbers to be gen- 
erated from a certain point in time onward from a se- 

15 quence of pseudorandom numbers generated up to 
this point in time is equivalent to the amount of conv 
putation needed to factorize N. However, in order to 
make the factorization of N difficult in temns of 
amount of computation, it is required that p, q be 

20 made several hundred bits. Random numbers thus 
generated by a method through which it is made dif- 
ficult, in terms of amount of computation, to predict 
random numbers to be generated from a certain point 
in time onward from a sequence of random numbers 

25 generated up to this point in time are referred to as 
pseudorandom numbers considered cryptologically 
secure. 

The operations of Equations (B-1) and (B-3) are 
included in the operation referred to as modular mul- 
30 tiplication indicated by the following equation: 

Q = 0) vmodN (B-5) 

(where Q. ^ . v are integers.) 

The above-mentioned Montgomery method is 

55 known as a method of performing modular multiplica- 
tion efficiently. If the Montgomery method is used, 
the operation can be carried out without performing 
division by modulus N. As a result, processing can be 
executed more efficiently than with ordinary modular 

^ multiplication. 

If we let modular multiplication for a case in which 
the Montgomery method is used be represented by 

Mont ( t) , v). then Mont ( i) . v) will be given by 
45 Mont(\) ,v)5 \) .v R-Mn^odN) (B-6) 

using R, which is a relatively prime number with re- 
spect to N. 

In order to obtain the computational result Mont 
( D , v) of the above equation with the Montgomery 
50 method, the following operation is carried out: 

Mont ( u , v) = ( u v + M.N)/R (B - 7) 
where 

M = V vN'modR (B-8) 
55 N' = - N-i mod R (B - 9) 

In a case where N is an odd number, R and N are 
relatively prime integers if R = 2* (where t is any inte- 
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ger) holds. In this cas , division by R and nnodular 
multiplication essentially need not be perfonmed and 

Mont ( ^ , v) can b x cuted at high sp ed solely 
by multiplication and addition. 

The procedure for performing a quadratic residue 
operation in a case where the Montgomery method is 
used is given by 

yo = RXomodN (B-10) 
Yi* 1 = R-^.y,2 mod N (i = 0. 1. 2. •••) (B - 11) 
using the same parameters as in Equation (B-1) and 
R. which is a relatively prime number with respect to 
N. 

In this case, when the sequences generated by 
Equations (B-1) and (B-11) are compared, we have 

y, = R X, mod N (i = 0, 1, 2. -) (B - 12) 
and the sequence yi (i = 0, 1 , 2, •-) generated by Equa- 
tion (B-11) is obtained by multiplying the sequence X| 
(i = 0, 1, 2 •") generated by Equation (B-1) by R. Ac- 
cordingly, in order to generate bi, which is a series of 
the least significant bit of X|, as a pseudorandom nunrv- 
ber sequence which is cryptologicalty secure, it is re- 
quired that the following operation be performed with 
regard to yi obtained by computation: 

X, = R-i.y, mod N (i = 0, 1, 2, •• ) (B - 13) 

Equation (B-3) can be executed by repeating the 
modular exponentiation operation indicated by Equa- 
tion (B-5). More specifically, the procedure for suc- 
cessively computing modular exponentiation x^i = Xj* 
mod N (i = 0, 1 , 2, s) by repeating modular multi- 
plication is as indicated by ** Algorithm 1" below. It 
should be noted that e is an integer comprising k bits 
and is represented by e = [bk. ey^.^, - ^2. ei]. 

[Algorithm 1] 

INPUT Xo,e,N,s (* M) 
FOR i = 0 TO s ( * • 2) 
Xm = 1 

FORj = kT01 

IF Bj = 1 THEN Xh-i = X|+i X| mod N 
IF j > 1 THEN Xhi = Xt^-i-Xj+i mod N 

NEXT 

OUTPUT Xhi (= x,« mod N) 
NEXT (• '9) 

With the INPUT statement of line r*1), values of 
Xq. e, N, s are entered. Here s is the iteration number 
of the residual operation. The FOR statement of line 
{**2) is a command for repeating the processing up to 
line (**9) from "0" to "s" in relation to the function i. 
This statement causes repetition of processing for 
successively obtaining the modular exponentiation 
Xki (i = 0. 1.2, s). 

The procedure for computing the modular expo- 
nentiation Xh-i = X|« mod N by repeating modular mul- 
tiplication using the computation procedure of the 
Montgomery method is as shown below. It should be 
noted that R is a relatively prim integer with respect 



to N and is an int ger comprising k bits, as men- 
tioned earii r, wher e = [ k. i. e2. e^]. If this al- 
gorithm is xecut d. the series X| (i = 0. 1 . 2. -.s). 
which is obtained by Equation (B-2), can be acquired. 

5 

[Algorithm 2) 

INPUT xo. e. N. s. Rr = R2 nrad N 
FOR i = 0 TO s 
10 y, = Mont(x,.RR) (M) 

y,.i = Mont(1,RR) (-2) 
FOR j = k TO 1 

IF ej = 1 THEN Y^i = Mont(yHi, y,) 
IF j > 1 THEN y^i = Mont(yKi. y^i) 

15 NEXT 

x,*i = Mont(y,*i, 1) CS) 
OUTPUT Xhi (= x,« mod N) 
NEXT 

In a case where Equation (B-2) is computed by 
20 the Montgomery method in accordance with Algo- 
rithm 2, the series y^i (i = 0, 1, 2, • •. s) obtained as 
the output of the FOR-NEXT portion with respect to j 
is represented by 

yo = RxomodN (B-14) 
25 y,^, = R-(«- i).y,emodN(i = 0.1.2..-) (B- 

15) 

using the same parameters as in Equation (B-1) and 
R. which is a relatively prime number with respect to 
N. 

30 In this case, when the sequence Xh-i (i = 0, 1. 2. 

"•) generated by Equation (B-3) and the sequence y\^^ 
(i = 0, 1 , 2, • -) generated by Equation (B-15) are com- 
pared, we have 

y, = R X,nrK)dN(i = 0.1.2. ".) (B-16) 

35 In other words, in a case where Equation (B-3) is conv 
puted by the Montgomery method in accordance with 
Algorithm 2, the sequence y^i (i = 0, 1, 2, s) ob- 
tained as the output of the FOR-NEXT portion with re- 
spect toj is the relation of Equation (B-16) with regard 

40 to the sequence Xh-i (i = 0, 1 , 2, s) obtained by Equa- 
tion (B-3). 

Accordingly, in order to obtain the operational re- 
sult Xki (X|« mod N), which is obtained by Algorithm 1 
of a modular exponentiation operation which does not 

45 employ the Montgomery method with regard to the in- 
put X|, by Algorithm 2 of a modular exponentiation op- 
eration which does employ the Montgomery method, 
it is necessary to correct Xj to yi = Mont (Xi.Rr) (= R X| 
mod N) by the equation (*1) of Algorithm 2 and correct 

50 yj+1, which is obtained as the output of the FOR-NEXT 
portion with respect to j to Xki.= Mont (y^i, 1) {= 
R-i yj+1 mod N) by equation (*3). 

However, in a case where the secure pseudoran- 
dom number generating method described above is 

55 used, it is required that p. q be made several hundred 
bits. As a result, a large amount of computation is in- 
volved. In particular, th amount of computation for 
the portions of Equations (B-1). (B-3) is large. Conse- 
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quently, pseudorandom numbers cannot be generat- 
ed at high speed and generation/reproduction f com- 
munication data cannot be perform d at high speed 
on th basis of these pseudo-random numbers. 

SUMMARY OF THE INVENTION 

Accordingly, a concern of the present invention is 
to provide an encrypt bn device, as well as a commu- 
nication apparatus using this device, in which it is 
possible to execute modular multiplication of P = 
A-B R-i mod N, without changing the ranges of in- 
put/output values, using the Montgomery method, 
whereby encryption is performed by executing mod- 
ular multiplication efficiently. 

Another concern of the present invention is to 
provide an encryption device, as welt as a communi- 
cation apparatus using this device, In which encryp- 
tion is performed by executing modular multiplication 
of Q = A-B mod N efficiently by the Montgomery meth- 
od. 

A further concern of the present invention is to 
provide a communication method and apparatus in 
which secure pseudorandom numbers can be gener- 
ated at higher speed and more easily, wherein the 
pseudorandom numbers are used to perform gener- 
ation/reproduction of communication data at high 
speed. 

Other features and advantages of the present in- 
vention will be apparent from the following descrip- 
tion taken in conjunction with the accompanying 
drawings, in which like reference characters desig- 
nate the same or similar parts throughout the figures 
thereof. 

BRIEF DESCRIPTION OF THE DRAWINGS 

The accompanying drawings, which are incorpo- 
rated in and constitute a part of the specification, il- 
lustrate embodiments of the invention and. together 
with the description, serve to explain the principles of 
the invention. 

Fig. 1 is a diagram showing the configuration of 
an encryption system according to an emt)odi- 
ment of the present invention; 
Fig. 2 is a diagram showing the manner in which 
the encryption system of this embodiment is ap- 
plied to a memory arrangement; 
Fig. 3 is a block diagram showing an example of 
the configuration of a modular multiplication cir- 
cuit according to a first embodiment; 
Fig. 4 is a diagram showing an example of the 
configuration of a modular multiplication circuit 
for obtaining an output value Q in a second em- 
bodiment; 

Fig. 5 is a block diagram showing the configura- 
tion of a modification of the second embodiment; 
Fig. 6 is a diagram showing th configuration of 



a pseudorandom number generator according to 
a third embodiment; 

Fig. 7 is a diagram showing a data processor 
which xecutes processing for generating pseu- 
5 dorandom numbers according to the invention; 

Fig. 8 is a flowchart of a program for generating 
pseudorandom numbers according to the third 
embodiment; 

Fig. 9 is a diagram showing an example of a meth- 
10 od of generating pseudorandom numbers ac- 

cording to a method other than the Montgomery 
method; 

Fig. 10 is a flowchart of a program for generating 
pseudorandom numbers according to the fourth 

15 embodiment; 

Fig. 11 is a block diagram showing an example of 
the configuration of a modular multiplication cir- 
cuit according to the fourth embodiment; 
Fig. 12 is a flowchart of a program for generating 

20 pseudorandom numbers according to the fifth 

embodiment; 

Fig. 13 is a block diagram showing an example of 
the configuration of a modular multiplication cir- . 
cuit according to the fifth embodiment; 

25 Fig. 14 is a block diagram showing an example of 

the configuration of a modular multiplication cir- 
cuit according to the sixth embodiment; 
Fig. 15 is a diagram showing a common-key en- 
crypted communication network according to a 

30 seventh embodiment; 

Fig. 16 is a diagram showing the construction of 
a communication apparatus according to the sev- 
enth embodiment; 

Fig. 17 is a diagram showing secret communica- 
35 tion in an encrypted communication system ac- 

cording to the seventh embodiment; and 
Fig. 18 is a block diagram showing an example of 
the configuration of an encryption/decryption cir- 
cuit for RSA cryptosystem. 

40 

DESCRIPTION OF THE PREFERRED 
EMBODIMENTS 

Prefen-ed embodiments of the present invention 
45 will now be described with reference to the accompa- 
nying drawings. 

<First Embodiment> 

50 Fig. 1 is a diagram illustrating the configuration 

of an encryptk)n system according to a first embodi- 
ment of the invention. This embodiment deals with an 
encryption system in an n vs. n communication ar- 
rangement of the kind shown in Fig. 1. Numeral 1 de- 

55 notes a communicatbn network. In this emtxxJiment 
th network is a local communication network such 
as a local area network (LAN) or a wide area commu- 
nication network such as a telephone circuit. Commu- 
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nication d vices 2.i - 2. „ are conn cted to the net- 
work 1 and to terminals 3_i - 3.n which can be ac- 
cessed by users. (When the contmunication devices 
are referred to genericalt/ below, the term "communi- 
cation device 2" will be used.) The users employ the 
terminals 3.i - 3. „ to create data. (When the termi- 
nals are referred to generically below, the term "ter- 
minal 3** will be used.) 

Encryption devices 4_, - 4.„ encrypt input data 
that is to be transmitted and then output the encrypt- 
ed data. (When the encryption devices are referred to 
generically below, the term "encryption device 4" wilt 
be used.) The encryption device 4 is incorporated in 
the communication device 2 (which is the case in en- 
cryption device 4_t), inserted between the communi- 
cation device 2 and communication network 1 (which 
Is the case in encryption device 4_2). or incorporated 
in the terminal 3 connected to the communication de- 
vice 2 (which is the case in encryption device 4.3). 
Even if the encryption device 4 has not been connect- 
ed to the communication device, it is possible to incor- 
porate the encryption device in a portable device 
such as an IC card which can be used upon being con- 
nected to the communication device 2 or terminal 3 
when necessary. Users who employ the communica- 
tion devices 2 or terminals 3 perform seaet commu- 
nication, authentication communication or encrypted 
communication such as key distribution, zero- 
knowledge authentication, etc., by the encryption de- 
vices having modular multiplication circuits according 
to this embodiment 

This encryption system is applicable to commu- 
nication arrangements other than that shown in Fig. 
1. For example, Fig. 2 is a diagram illustrating show- 
ing the manner In which the encryption system of this 
embodiment Is applied to a memory an^ngement. 
Numeral 5 in Fig. 2 denotes a magnetic disk for storing 
encrypted data transferred from access units 6_i - 6. 
n. The access units 6.1 - S.n plant data, which has 
been encrypted by the respective encryption devices 
4, In the magnetic disk 5. Thus, users are capable of 
utilizing the encryption system individually by means 
of encryption devices that employ the arithmetic cir- 
cuits and method of this embodiment in a memory ar- 
rangement in the same manner as is done in a com- 
munication anrangement. 

A description will now be given of a communica- 
tion method using RSAcryptosystem. Encryption and 
decryption are respectively represented by the fol- 
lowing formulae: 

Encryption: C = M» mod N 
Decryption: M = mod N 
wherein M represents a plain text to be trans- 
mitted, C indicates a cryptogram, indicates an en- 
cryption key opened to public, d indicates a decryp- 
tion key and N represents a modulus which is opened 
to public. 



Thus, encryption and decryption of RSA crypto- 
syst m can b x cuted nrnxJular exponentiation cir- 
cuits which hav constructions similar to ach other. 
The following description, therefore, mainly ref r to 
5 encryptton. 

The nrwdular multiplication C = M» mod N may be 
conducted simply by repeating modular multiplication 
of two numbers. When M and e are large, however, 
the amount of computation becomes huge. According 
10 to the invention, therefore, computation is executed in 
accordance with the following algorithm. In the algo- 
rithm shown below, e is an Integer having k bits and 
is expressed by: 

© ~ ©It. ejt-1 02, Ov 

15 

Algorithm B 

INPUTM.e.N (Input) 
C = 1 (initial set) 
20 For 1 = k to 1 

If ei = 1 Then C = C M mod N (computa- 
tion 1) 

If i > 1 Then C = C*C mod N (computa- 
tion 2) 
25 Next 

In this case, therefore, the modular exponentiation is 
conducted by repeating modular multiplication C = 
C B mod N (B is M or C). 

A circuit capable of efficiently executing the algo- 
30 rithm is shown in Fig. 18. Referring to Fig. 18. refer- 
ence numerals 281 and 282 represent shift registers 
for respectively storing the values of M and e. Refer- 
ence numerals 283 and 284 represent registers for re- 
spectively storing the values of N and C. Reference 
35 numerals 285 and 286 represent select switches for 
selecting the Inputs and 287 represents a multiplexer 
for selecting the value of C in the register 284 for each 
rn bits (m is an arbitrary integer) from the upper digits 
to transmit it In serial. Reference numeral 288 repre- 
40 sents a modular multiplication circuit for executing 
the calculation C = C B mod N. Reference numeral 
289 represents a controller for discriminating whether 
or not el = 1 or i > 1 to control computations 1 and 2 
of the Algorithm B or controlling a clear signal or a pre- 
45 set signal for the selector and the register at the time 
of the receipt of the signal or the initialization. The 
controller 289 can easily be formed by a counter, a 
ROM and some logic circuits. 

Then, the operation of the circuit shown In Fig. 18 
50 will now be described. 

The circuit receives plain text M. public key e and 
public modulo N. Therefore. M, e and N are In serial 
or parallel supplied to the register 283. At this time, 
the selector 285 sel cts M to supply M to the register 
55 281. Simultaneously, initialization is performed In 
such a manner that C = 1 by the dear signal or the pre- 
set signal for the register as an alternative to supply- 
ing the value of C to the register 284. 
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After th input and the initialization has been 
completed, the niodular nnultiplicati ns in accordance 
with the calculations 1 and 2 are commenced. The dif- 
ference b tween the computation 1 and the compu- 
tation 2 lies in a fact that B Is M or C in the modular 5 
multiplication C = C B mod N. Therefore, in a case 
where the computation 1 is executed, the selector 286 
selects serial output M for each m bits from the reg- 
ister 281. In a case where the computation 2 is exe- 
cuted, the selector 286 selects serial output C for io 
each m bits from the multiplexer 287. The serial out- 
put M for each m bits from the shift register 281 is 
again supplied to the shift register 281 via the selector 
285. The modular multiplication circuit 288 are consti- 
tuted and operated as described above. The output C is 
from the modular multiplication circuit 288 is, in par- 
allel, supplied to the register 284 so as to be used in 
the next residue multiplication, so that the computa- 
tions 1 and 2 are efficiently repeated. If the apparatus 
is arranged to receive C and d in place of M and e. a 2o 
cryptogram can be decrypted. 

Input values and parameters are decided based 
upon the following condition in order to equalize the 
ranges of the input and output values in Equation (A- 
2) cited above. The condition is: 25 

The range of P obtained from Equation (A-2) sat- 
isfies the relation 0 ^ P < 2N, where input values A 
and B satisfy the relations 0 ^ A and B < 2N. respec- 
tively, and parameters N and R satisfy the relations 
0 < N < 2" and R = 2"*2 (where n is any integer), re- 30 
spectively." 

The above-mentioned condition is validated as 
follows: 

"if R = 2^*2 holds, M < Is established from 
Equation (A-3). Since N < 2" holds, we have 2N+M/2 35 
< R. Accordingly, on the basis of 0 ^ A, B < 2, we have 

P = (AB + M N)/R < (2N + IVI/2).2N/R < 2N 
Since 0 ^ P holds from Equations (A-2), (A-3), we 
have 0 s P < 2N." 

Thus, if the conditions 0<N<2".0^A,B<2N, 40 
R = 2"*2 (where n is any integer) are satisfied, the, P 
outputted by the Montgomery method can be made 
to satisfy the relation 0 ^ P < 2N, which is a range the 
same as that of the Input values A. B. Accordingly, a 
result P of modular multiplication which falls within the 45 
range of the input values can be obtained at all time 
by executing modular multiplication based upon the 
Montgomery method using a circuit for setting the In- 
tegers N, A, B, R which satisfy the above-mentioned 
conditions, and a circuit for operating on the integers so 
N, A, B, R which satisfy the above-mentioned condi- 
tions. 

Fig. 3 is a block diagram showing an example of 
the configuration of a modular multiplication circuit 
according to the first embodiment. Numeral 100 de- ss 
notes the modular multiplication circuit, which In- 
cludes a multiplier 1 01 for executing multiplication be- 
tween input values A and B. The input values A, B, 



which are produced by the terminal 3, are items of 
data to be encrypted and transferred to the commu- 
nication network 1 or magnetic disk 5. 

A multiplier 102 executes multiplication betw en 
the output (Ax B) of multiplier 101 and N - (-N-^ nrKxJ 
R). which is decided by the set parameters N and R. 
and outputs tower n't-2 bits of the product as A x B x 
N' mod R (output M). A multiplier 103 executes multi- 
plication between this output M and the set parameter 
N and then outputs the product (M x N). An adder 104 
adds the output (A x B) of multiplier 1 and the output 
(M X N) of multiplier 103. Ashift register 105 executes 
the operation 1/2"*^ by shifting the output data from 
adder 104 leftward by n+2 bits. The shift register 105 
produces the output P = [(AxB)+(MxN)]/2"*2. Numer- 
als 110, 111 denote constant generating circuits for 
respectively outputting the constants -N-*" mod R and 
N. 

The modular multiplication circuit 100 is realized 
by the simple circuit construction described above. 
Furthermore, the output value P falls within the range 
of the input values A and B at all time owing to the fact 
that the input values A. B and parameters R. N are de- 
cided in accordance with the above-mentioned con- 
ditions. Accordingly, even if the encryption device 4 
uses cryptography that requires modular multiplica- 
tion to be executed a plurality of times, it is possible 
to apply the modular multiplication circuit 100 to the 
encryption device 4. As a result, an encryption sys- 
tem in which modular multiplication can be utilized ef- 
ficiently is constructed. 

<Second Embodiment> 

In the modular multiplication circuit according to 
the first embodiment, the output value P falls within 
the range of the input values A and B at all times in 
modular multiplication using the Montgomery meth- 
od. In the second embodiment, modular multiplication 
represented by Q = A B mod N, which is often used 
in encryption, executed by the modular multiplication 
circuit 288 in Fig. 18 for example, is implemented us- 
ing the above-mentioned modular multiplication cir- 
cuit 

In order to obtain the at>ove-mentioned output Q 
using the Montgomery method, it is required that the 
following two equations be executed continuously: 
p = A B R-^ mod N = (AB + M1N)/R (A - 4) 
Q = P Rr.R-i mod N = (P Rr + M2.N)/R (A - 5) 
where 

Ml =:A B N'mod R 

M2 = P Rr N' mod R 

Rr = R2 mod N 
In this case, the output P indicat d by Equation 
(A^) satisfies the relation 0 ^ P < 2N on the basis of 
the first embodiment, and 0 ^ Rr < N < 2N by defini- 
tion. Accordingly, each parameter of Equation (A-5) 
also satisfies the conditions of the first embodiment, 
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and therefore modular multiplication Q can be per- 
formed by a modular multiplication circuit whose con- 
struction is identical with that of the first embodiment, 
which implements the Montgomery method, on the 
basis of the output value P and set value Rr. 5 

Fig. 4 is a diagram showing an example of the 
configuration of a modular multiplication circuit for ob- 
taining the output Q in the second embodiment Here 
the output value Q is obtained by an arrangement in 
which two of the above-mentioned modular multipli- io 
cation circuits 100 are serially connected as shown. 
To facilitate the description, the second stage of the 
modular multiplication circuit is designated by refer- 
ence numeral 100'. Numeral 200 denotes a constant 
generator for generating Rr obtained from the para- is 
meters N and R. The output Rr is fed into the modular 
multiplication circuit 100*. When the output P of the 
modular multiplication circuit 100, which is obtained 
by the inputs A and B, and the output Rr of the con- 
stant generator 200 are inputted to the nrK>dular mul- 20 
tiplication circuit 100'. M2 is obtained from the multi- 
plier 102 and the output Q represented by Equation 
(A-5) is obtained. 

According to the second embodiment, two of the 
modular multiplication circuits 100 are used to obtain 25 
the output Q. However, the invention is not limited to 
this embodiment. For example, an arrangement is 
possible in which reliance is placed upon one modular 
multiplication circuit 100 by using a selector 301 and 
a selector 302, as shown in Fig. 5. 30 

Fig. 5 is a block diagram showing the configura- 
tion of a modification of the second embodiment. The 
selector 301 selects eitherthe inputvalueAorthe out- 
put value (P) of the modular multiplication circuit 100, 
latches the selected value and outputs it to the mod- 35 
ular multiplication circuit 100. The selector 302 se- 
lects either the input value B or the output value (Rr) 
of the constant generator 200. latches the selected 
value and outputs it to the modular multiplication cir- 
cuit 100. A select signal 303, which is generated by a 40 
CPU or other suitable circuit (not shown), is a signal 
which changes over the selectors 301, 302. The se- 
lect signal 303 causes the selectors 301 . 302 to select 
and latch the respective input values A, B at the timing 
at which the input values A. B are accepted. Accord- 45 
ingly, the modular multiplication circuit 100 produces 
the output value P. Next, in response to the select sig- 
nal 303, the selectors 301 . 302 select and latch the 
output value P and constant Rr, respectively. As a re- 
sult, the inputs to the modular multiplication circuit so 
100 at this time are the output value P and the con- 
stant Rr, and therefore the output value Q is obtained 
from the modular multiplication circuit 100. 

By using the above-describ d modular multipli- 
cation circuit in th encryption system shown in Fig. ss 
1 . it is possible to construct an encryption system ca- 
pable of executing modular multiplication efficiently. 

Thus, in accordance with each of the foregoing 



embodiments, modular multiplication can be xecut- 
ed with nnaking the ranges of th input and output val- 
ues of the Montgomery method th same. As a result, 
it is possible to xecute fficiently an operation based 
upon repetition of the Montgomery method, and vari- 
ous encryption systems using modular multiplication 
that utilizes the Montgomery method can be con- 
structed efficiently. 

Further, since Equations (A-2) - (A-5) are indica- 
tive of integral operations, the arithmetic circuitry and 
techniques for realizing modular multiplication are not 
limited to those of the foregoing embodiment For ex- 
ample, it is obvious that this can be realized by car- 
rying out the arithmetic operations by software using 
a CPU or the like. 

Thus, in accordance with the embodiments as 
described above, modular multiplication represented 
by p = A B R"^ mod N can be executed, without 
changing the ranges of the input and output values, 
by using the Montgomery method. Accordingly, there 
is obtained an encryption device in which enayption 
using modular multiplication is performed efficiently. 

Furthermore, nnodular multiplication represented 
by Q = A-B mod N can be executed efficiently by the 
Montgomery method, and there is obtained an en- 
cryption device in which encryption using modular 
multiplication is performed efficiently. 

<Third Embodiment> 

A method of generating pseudorandom numbers 
according to a third embodiment makes it possible to 
eliminate the operation of Equation (B-1 3) by using oj, 
which is obtained directly by 

a, = lsb(yi(i = 0.1.2,.") (B-1 7) 
from yi of Equation (B-12), as a cryptologically secure 
sequence of pseudorandom numbers. The method 
raises the speed at which pseudorandom numbers 
are generated without detracting from the security of 
the outputted random numbers. 

The security of pseudorandom number genera- 
tion using Equation (B-1 ) utilizes the fact that it is very 
difficult to obtain bi from Xki, namely the fact that b| 
is a hard core bit of Xj+i. A case in which pseudoran- 
dom numbers are generated using Equations (B-11), 
(B-1 7) also is such that it is very difficult to obtain a, 
from yn-i, which is the result of multiplying by a 
certain constant R. In other words, since (X| is a hard 
core bit of yj+i, the security of pseudorandom number 
generation using Equations (B-11) and (B-17) also is 
the same as that of pseudorandom number genera- 
tion using Equation (B-1). 

In accordance with this embodiment, as descri- 
bed above, it is possible to generate a s quence of 
pseudorandom numbers having the same degree of 
security as that of Equation (B-1) at higher speed or 
with circuitry of smaller scale without executing the 
processing of Equation (B-1 3). General ion/re produc- 
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tion of communication data can be p rformed at high 
speed using th method of this mt)odim nt 

The fact that the security of pseudorandom num- 
ber generation using equatbns (B-11) and (B-17) is 
the same as that of pseudorandom number genera- s 
tion using Equation (&-1) will be proven. First, how- 
ever, the symbols used will be simply defined. For the 
details, see "Modern Cryptographic Theory" [by Shi- 
nichi Ikeno and Kenji Koyama. published in 1986, 
DenshiJoho Tsushin Gakka'u pp. 14 - 15. 95 ^ 96) to 

• Quadratic residue 

When there is a solution to s c (mod p), 
c is the quadratic residue of p. When there is 
no solution, c is the quadratic non-residue. 

• Legendre symbol (x/p) : is 

When p is a prime number and x ;t 0 (mod 
p) holds, we have 

(x/p) = 1 :whenx is the quadratic residue 

of p 

-1 :when x is the quadratic non-residue ao 

of p 

relatively prime with respect to N; an inte- 
ger in the range of from 0 to N-1 

• Jacobi symbol (x/N) : 25 

With respect to x e Z*^ and N = p q (where 
p. q are prime numbers), the Jacobi symbol 
(x/N) is represented by the following using the 
Legendre symbol (x/p) : 

(x/N) = (x/p) (x/q) 30 

• Z*N(+1) = {xeZ-N I (x/N) = 1) 

• 2*n(-1) = {x€Z*n I (x/N) = -1} 

• Q, = {xeZ-N I (x/p) = (x/q) =1} 

• Q2={xeZ*N I (x/p) = (x/q) = -1} 

• Qa = {X e Z"n I (x/p) = -(x/q) = 1} 35 

• Q4 = {X6Z*N I (x/p) = -(x/q) =-1) 
Illustrating that the security of pseudorandom 

number generation using Equations (B-11) and (B- 
17) is the same as the security of pseudorandom 
number generation using Equation (B-1) is equivalent 40 
to proving the following proposition: 

[Proposition] 

"If tti can be inferred conrectly from the pseudor- 45 
andom number sequence oi+i, ai+2, - generated from 
Equations (B-11), (B-1 7), the quadratic residue there- 
of can be judged with respect to any c [c e Z*n(+1)].'' 

[Proof] 50 

When r € Qi holds, the following hold with respect 
to any c [c g Z*n(+1)] : 

b = R c mod N 
yi + 1 = R-i -b^ mod N 55 
and Of+i, aH.2. are gen rated by Equations {B-11), (B- 
17), with yn-i serving as an initial value. 
Atthistim we have 



b6Z*N( + 1) 
Vi * 1 e Q, 
At this time, if we let th solution to 
y,+ i = R-iz2modN 
yi + yR = z2 nrK)d N 
be Z| (j = 1. 2. 3, 4) (where Z) 6 Q|), then 

a, = lsb(2i) 
can be predicted from 

Zi s - Z2 (mod N) 
Z3 = - Z4 (mod N) 
by assumption. Accordingly. 

if oi = Isb (b) holds, then b € Qi. at which time 
c € holds; 

if Of Isb (b) holds, then b € 02, at which time 
c e Q2 holds. 

Similarly, the quadratic residue property of c can be 
Judged also when R 6 Q2. R £ Q3, R € Q4 hold. 
Q.E.D. 

Fig. 6 is a diagram showing the configuration of 
a pseudorandom number generator 1101 according to 
this embodiment. The pseudorandom number gener- 
ator 1101 comprises a quadratic-residue arithmetic 
unit 1102 and a logical operation unit 1103. 

The quadratic-residue arithmetic unit 1102 per- 
forms the operations, which are indicated by the fol- 
lowing equations, in the form of a chain to generate 
yit y2^i'om the initial value yo, N. which is the modulus 
of modular multiplication, and an arbitrary constant R, 
which is a relatively prime number with respect to N: 
yi * 1 = R-^ y|2 mod N (i = 0, 1.2. .-) (B - 18) 
N = pq (B-19) 
where p, q are prime numbers of p ^ q = 3 (mod 4). 

Further. R is an arbitrary number which is rela- 
tively prime with respect to N. 

The yi, y2, ••• y(+i generated are outputted se- 
quentially on output line 1105. 

The operational method represented by the fore- 
going equations is referred to as the Montgonnery 
method, as mentioned earlier. According to the Mon- 
tgomery method, the operations indicated by the fol- 
lowing equations are actually performed in order to 
obtain the computational result yn-v 

yi . 1 = (y.2 + M N)/R (i = 0. 1. 2. • ) (B - 20) 
where 

M = y,2 N' mod R (B - 21) 
N' - - N-1 mod R' (B - 22) 
Since N is an odd number, R and N are relatively 
prime integers if R = 2* holds (where t is an arbitrary 
integer). In this case, division by R and a residual op- 
eration do not necessitate actual operations and yM 
can be computed at high speed by multiplication and 
addition. 

In a case where the quadratic-residue arithmetic 
unit 11 02 is constructed of hardware, for example, the 
operation based upon the Montgomery method can 
readily be executed by providing an adder, a multiplier 
and a basic arithmetic unit such as a shifter which 
performs a bit shift for division by R and a r sidual op- 
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eration. Furthermore, us can b made of a Mon- 
tgomery arithmetic circuit illustrated in th literatur 
■Exponential Algorithm and Systolic Array Using the 
Montgomery Method" (Iwamura, Matsumoto, Imai; 
vol. 92. No. 134. pp. 49 - 54. 1992). 

The values of y,, yj, • • outputted sequentially on 
output line 1105 of the quadratic-residue arithmetic 
unit 1102 enter the logical operation unit 1103. The 
latter extracts an arbitrary bit (or bits) in a range of 
lower-order log2n (where n represents the number of 
digits of N in binary notation) bits of each of the en- 
tered yi . y2 and outputs these bits as a pseudoran- 
dom number on output line 1106. For example, all of 
the lower-order tog2n bits may be outputted as a 
pseudorandom numberoronlythe least significant bit 
may be outputted as a pseudorandom number. 

In a case where the logical operation unit 1103 is 
constituted by hardware, use can be made of a par- 
allel-input, serial-output shift register which latches 
the entered yi (i = 1, 2. •••) in parallel and outputs, in 
serial form, the lower-order iogzn bits. 

A case will now be described in which the above- 
described method of generating pseudorandom num- 
bers is realized by software. 

Fig. 7 is a diagram showing the configuration of 
a data processor 115 in which a program for generat- 
ing pseudorandom numbers has been loaded in order 
to realize the pseudorandom number generating 
method of the third embodiment by means of soft- 
ware. Here a CPU 110 controls the overall data proc- 
essor 115 in which a program for generating pseudor- 
andom numbers has been loaded. A keyboard 111 is 
for entering a command which starts the pseudoran- 
dom number generating program as well as the val- 
ues of various parameters for the pseudorandom 
number generating program. The pseudorandom 
number generating program according to this env 
bodiment is stored in a ROM 1 1 3 in advance. The pro- 
gram is executed by the CPU 110 while the it is being 
read out. A RAM 11 4 is a working area used to execute 
the pseudorandom number generating program and 
stores the results of generating the pseudorandom 
numbers. A communication interface 116 encrypts an 
input text by using the pseudorandom numbers stored 
in the RAM 114 and outputs the encrypted text on a 
communication line. 

Fig. 8 is a flowchart for describing the processing 
of the pseudorandom number generating program. 
This processing will now be described with reference 
to the flowchart. The basis of the pseudorandom 
number generating program is execution of the oper- 
ations of Equations (B-7 ) - (B- 9). 

At step SI, prime numbers which are 3 (mod 4) 
are set cted arbitrarily and set as p, q. The operation 
p q is perfonned and the result is set as N. Arbitrary 
numbers ar set as t and R, which ar relatively prime 
with respect to N and satisfy R = 2*. In addition, 
N-i mod R" is computed and the result is set as N'. 



An arbitrary initial value for generating random 
numbers is set as Yq at step S2. 

The operation -Ish^ mod 2> is performed at step S3 
and the result is s t as N*. 
5 Next, i, which indicates the number of repetitions 

of random number generation, is initialized to "0" at 
step S4. 

This is followed by step S5, at which "yj^ N'mod 2^ 
is computed and the result set as M. Although here 

10 the processing for dividing "yi^ N*" by 2* is fundamen- 
tal, the division can be executed at high speed since 
it will suffice if V N"" 's processed by a T bit shift 
Next, at step 86, the operation '{y(^U U)/2f is 
performed and the result is set as y^i. This division 

15 also can be processed at high speed since the T bit 
shift is fundamental. 

Next, at step S7. a series of bits of a prescribed 
number at prescribed positions is extracted from yi 
and set as rand(i). It should be noted that rand(i) is a 

20 one-dimensional array. 

The value of i is compared with a prescribed End 
value at step S8 and the program proceeds to step S9 
if the value of i is less than the End value. It should 
be noted that the End value is has been set to corre- 

25 spend to the quantity of sequences of random num- 
bers desired to be generated. This may be set from 
the keyboard 111 or by a separate program which 
calls the pseudorandom number generating program. 
This is followed by step S9, at which i is counted 

30 up in order to generate the next random number. 
Processing from step S5 onward is then executed 
again to continue the generation of subsequent ran- 
dom numbers. 

By executing the above-described processing, a 

35 series of pseudorandom nurhber sequences is gener- 
ated in the array area rand. 

The foregoing illustrates a method of generating 
pseudorandom numbers by the Montgomery method. 
In general, however, a modular multiplication can be 

40 performed with respect to a number C-X^ obtained by 
multiplying the resultX^ of a quadratic operation by an 
arbitrary constant C. and pseudorandom numbers 
can be generated from a prescribed number of bits of 
y = C X2 mod N obtained as a result. Fig. 9 is a dia- 

45 gram showing the configuration of a pseudorandom 
number generator 120 according to a modification of 
the third embodiment. The pseudorandom number 
generator 120 comprises a quadratic-residue arith- 
metic unit 121 and a logical operation unit 122. 

50 The quadratic-residue arithmetic unit 121 per- 
forms the operations, which are indicated by the fol- 
lowing equations, in the form of a chain to generate 
yi, y2 from the initial value yo and the arbitrary con- 
stant C: 

55 Y, * 1 = C.y,2 nrrad N (i = 0, 1, 2, .) 

N = pq 

where p, q are prime numbers of p s q s 3 (mod 4). 
Since the operations indicated in the quadratic- 
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residue arithmetic unit 121, namely 
yi2 mod N 
C y|2 mod N 

are both modular multiplication operations, ft will suf- 
fice if the quadratic-residue arithmetic unit 121 is ar- 5 
ranged to perform modular multiplication operations. 
In a case where the unit is constituted by hardware, 
it is also possible to use a modular multiplication ar- 
ithmetic circuit illustrated in the literature "Method of 
Constructing RSA Encryption Device by Parallel to 
Processing" (Iwamura, Matsumoto, Imai; Denshi 
Joho Tsushin Gakkai Ronbun A,yo\, J75-A, No. 8, pp. 
1301 - 1311. 1992). The output of the quadratic-re- 
sidue arithmetic unit 121 enters the logical operation 
unit 122. The latter generates and outputs a se- is 
quence of random numbers from an arbitrary bit (or 
bits) in a range of lower-order log2n (where n repre- 
sents the number of digits of N in binary notation) bits 
of each of the entered yi, yz 

The logical operation unit 122 is capable of out- 20 
putting, as a pseudorandom number, arbitrary bits in 
a range of lower-order log2n bits of each of the en- 
tered yi, y2. For example, all of the lower-order 
log2n bits may be outputted as a pseudorandom num- 
ber or only the least significant bit may be outputted 25 
as a pseudorandom number. 

In accordance with the third embodiment, as de- 
scribed in detail above, in a case where cryptological- 
ly secure pseudorandom numbers are generated by 
the Montgomery method, prescribed bits of yi ob- 30 
tained by Equation (B-11) are used as a pseudoran- 
dom number, thereby making it possible to dispense 
with the operation of Equation (B-1 3), which is neces- 
sary in the prior art, without detracting from security. 
By adopting this arrangement, a sequence of pseu- 35 
dorandom numbers having the same degree of secur- 
ity as that of the prior art can be generated at high 
speed or by circuitry of smaller scale. 

Thus, as described above, generation/reproduc- 
tion of communication data can be performed at high 40 
speed using the pseudorandom numbers generated 
by the method and apparatus of this embodiment. 

<Fourth Embodiment> 

45 

The purpose of the pseudorandom number gen- 
erator according to the fourth embodiment is to elinv 
inate the operation indicated by equation (*3) of the 
above-described Algorithm 2, thereby making it pos- 
sible to generate a sequence of pseudorandom num- so 
bers at higher speed or by circuitry of smaller scale 
while maintaining a degree of security the same as 
that of Equation (B-3). 

First, the following is an Algorithm 3 for a case in 
which the operation of equation ('3) of Algorithm 2 55 
has been eliminated: 



[Algorithm 3] 

INPUT xo, , N, s. RR=R2m dN 

yo = Mont(Xa, Rr) 

FORi = 0TOs 

yj*i = Mont(1.RR) 

F0Rj = kT01 

IF e, = 1 THEN yj,i = Mont(yK,, yj 
IF j > 1 THEN yM = Mont(yKi, y^i) 

NEXT 

OUTPUT Yj^i (= R-«^i).y,» mod N) 
NEXT 

The series yi (i = 0, 1 , 2. • s) obtained by exe- 
cuting Algorithm 3 is indicated by Equation (B-15). A 
pseudorandom number generator according to the 
fourth embodiment for a case in which equation (*3) 
of Algorithm 2 has been eliminated uses oi obtained 
by 

a, = lsb(y,)(i = 0.1,2,..) (B-23) 
from yi of Equation (B-15) as a cryptologically secure 
pseudorandom number. 

The security of pseudorandom number genera- 
tion using Equations (B-15) and (B-23) will be consid- 
ered. The security of pseudorandom number genera- 
tion using Equation (B-3) utilizes the fact that it is very 
difficult to obtain b| from Xi^-i. namely the fact that b| 
is a hard core bit of X|+i. The series yi (i = 0, 1, 2, •••) 
obtained by Equation (B-15) are values obtained by 
multiplying the series X| (i = 0, 1, 2, -.), which is ob- 
tained by Equation (B-3). by the constant R and taking 
the residue modulo N [see Equation (B-1 6)]. 
Accordingly, if it is very difficult to obtain bt = Isb (xi) 
from Xki-i. then it will also be very difficult to obtain ot 
= Isb (yi)[lsb(Rxj mod N)] from yj+i (= R*x^i nrKxJ N), 
which is the result of multiplying Xh-i by the constant 
R and taking the residue modulo N. In other words, 
since oi is a hard core bit of yi+i, the security of pseu- 
dorandom number generation using Equations (B-1 5) 
and (B-23) also is the same as that of pseudorandom 
number generation using Equation (B-3). 

A processing flowchart for executing Algorithm 3 
will now be described with reference to Fig. 10. 

Values of x©, e, N, s and R are entered at step 
S10. Here s is the number of repetitions of the mod- 
ular multiplication. Further, R satisfies R = 2^ (where, 
t is an integer). 

The operation Mont (x©, Rr) is performed at step 
S11 and the result is set as yo- Here Mont (Xq, Rr) is 
a function, in which Xo, Rr are variables, for perform- 
ing the operations of Equations (B-7), (B-8) and (B- 
9). It should be noted that Equation (B-9) can be conrv 
puted in advance and N' is treated as a constant In 
actuality, therefore, the operations of Equations (B- 
7). (B-8) are performed to obtain Mont (xq, Rr). In the 
operations of Equations (B-7), (B-8), modulus R is ex- 
pressed by 2* beforehand and therefor the required 
division can be executed by a bit-shift. 

A counter i of repetitions of the residual operation 
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first is initializ d to "0" at step S12. Whenev r this 
step is ntered. the counter i is incremented and proc- 
essing proce ds to the next step. The count-up per- 
atton is p rformed up to s. 

Next, at step Si 3. the operation Mont (1. Rr) is 5 
performed and the result is set as y^i. 

This ts followed by step S14. at which a bit pointer 
j for pointing to each bit of e is first set at k. Here k is 
the bit length of e and is assumed to be set in ad- 
vance. Whenever this step is entered, a bit pointer j to 
is decremented and processing proceeds to the next 
step. The countdown proceeds to 1. 

At step S15. it is determined whether the j-th ^^'t 
ej designated by the bit pointer] is "1" or not If the bit 
ej is "1", the program proceeds to step S16, the oper- is 
ation Mont (y^i. yi) is perfonmed and the result is set 
as yi+i. If the bit ej is "0", the program proceeds to step 
SI 7. 

It is determined at step S17 whether the bit poin- 
ter j is greater than "1" or not If j is not greater than 20 
or equal to "1", then the program proceeds to step 
S 19. If j is greater than "1", the program proceeds to 
step S18, the operation "Mont (yn-i. yn-i)" 'S perfonned 
and the result is set as y^^^. 

Next at step SI 9Jt is determined whether the hit 25 
pointer j is a value in the interval "k - 1". If j is a value 
in this interval, then the pnDgram returns to the resid- 
ual processing from step S14 onward. If j is outside 
this interval, then the program proceeds to step S100. 

At step SI 00, yni (I = 0, 1, 2, — ) is stored in a 30 
memory device or the like. 

Next at step S101, it is determined whether the 
counter i is a value in the interval "0 - s". If i is a value 
in this interval, then the program returns to residual 
processing from step SI 2 onward and the next resid- 35 
ual processing operation is performed. If I is outside 
this interval, then residual processing is terminated. 

Fig. 11 is a diagram showing the configuration of 
a pseudorandom number generator 193 according to 
the fourth embodiment of the present invention. A 40 
modular exponentiation arithmetic unit 190 performs 
the following operation, in the form of a chain, using 
the initial value Xq, N, which is the modulus of the mod- 
ular exponentiation, the arbitrary constant R, which is 
a relatively prime number with respect to N, and the 45 
power e, and generates yi, y2, 

yo = R xo mod N (B - 24) 
y,*i = R- i)-y,«modN(i = 0.1.2,-) (B- 
25) 

Here N = p q holds, where p, q are prime numbers so 
and e 2) is an arbitrary constant 

The modular exponentiation arithmetic unit 190 
executes Algorithm 3. The inputs to the modular ex- 
pon ntiation arithmetic unit 190 are the initial value 
Xo, the power e. the modulus N of the arithmetic op- 55 
eration, th constant R. Rr = R2 mod N, and the num- 
ber of rep titions s with regard to i. The modular ex- 
ponentiation arithmetic unit 190 which successively 



outputs yj+i (i = 0, 1, -, s), comprises an input buffer 

1 94, a decision unit 1 96, a Montgomery operation unit 

195, a memory 198 and an output unit 197. The op- 
erating procedur of the modular exponentiation ar- 
ithmetic unit 190 will now be described. 

(1 ) First Xo, e, n, R. Rr, s are fed into the input buf- 
fer 194, whence e, s are input to the decision unit 
195. The decision unit 196 separates e into k bits 
of [ejt, e^, 1, ••• 62, ei]. Furthenriore, i = 0, j = k are 
set in two counters (not shown) with respect to i, 
j provided in the decision unit 196. The values of 
R, N fed in the input buffer 1 94 are set in the Mon- 
tgomery operation unit 195. and the initial value 
Xo and Rr of the Montgomery operation are held 
in the memory 198. 

(2) On the basis of Xo, Rr in memory 198, y© is cal- 
culated In the Montgomery operation unit 195 
and is held in the memory 198 as the initial value 
of the Montgomery operation together with y, = 
R. 

(3) With respect to i = 0, j = k, the decision circuit 
renders the decisions ej = 1 , j > 1 and outputs an 
address signal to the memory 198 in dependence 
upon the decisions. The memory 198 holds yi and 
yi+1, but yj+1 is updated from time to time by the 
output of the Montgomery operation unit 1 95. The 
memory 198 stores the output yj+i of the Mon- 
tgomery operation in response to the address 
signal from the decision unit 196. Further, in de- 
pendence upon the address signal from the de- 
cision unit 196, the content of the memory 198 is 
read out and yj+i or yi enters the Montgomery op- 
erating unit 195. The Montgomery operation unit 

195 performs the Montgomery operation in ac- 
cordance with the output from the memory 198. 
The counter for j in the decision unit 196 is deae- 
mented by one count and this procedure is re- 
peated until j = 0 is attained. 

(4) When j = 0 is established, the decision unit 196 
issues an enable signal to the output unit 197, 
which latches y^i prevailing at the time of j = 0. 
The output unit 1 97 outputs the latched y^i as the 
result of the modular exponentiation operation 
and, at the same time, yt+i is held in the memory 
198 as the next input of the Montgomery opera- 
tion unit 195. The counter for i in the decision unit 

196 is incremented by one count and steps (3), 

(4) of this procedure are repeated until i = s is at- 
tained. 

(5) The procedure is terminated. 

The output of the modular exponentiation arith- 
metic unit 190 enters the logical operation unit 191. 
The latter generates and outputs random numbers 
from an arbitrary bit (or bits) in a range of lower-order 
log2n (where n represents the number of digits of N 
in binary notation) bits of each of the entered y,, y2 

The logical operation unit 191 is capable of out- 
putting, as a pseudorandom number, arbitrary bits in 
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a range of lower-order log2n bits of ach f the en- 
tered y,. y2. For example, all f the lower-order logjO 
bits may be outputt das a pseud random number r 
only the least significant bit may be outputted as a 
pseudorandom number. 

tn a case where the logical operation unit is con- 
stituted by hardware, for example, it can be made by 
using a parallel-input, serial-output shift register 
which latches the entered y, (i = 1 , 2. •••) in parallel and 
sequentially outputs, in serial form, the lower-order 
log2n bits. 

In accordance with the fourth embodiment, as de- 
scribed in detail above, use is made of the computa- 
tion procedure of Algorithm 3. which dispenses with 
the processing of equation CS). which is necessary in 
the prior art in Algorithm 2. As a result, a sequence of 
pseudorandom numbers having the same degree of 
security as that of Equation (B-3) can be generated 
at high speed or by circuitry of smaller scale. 

Thus, as described above, generation/reproduc- 
tion of communication data can be performed at high 
speed using the pseudorandom numbers generated 
by the method and apparatus of the fourth embodi- 
ment 

<Fifth Embodiment> 

The purpose of the pseudorandom number gen- 
erator according to the fifth embodiment is to elimin- 
ate both of the operations indicated by equation CI) 
and equation ('3) of the above-described Algorithm 2, 
thereby making it possible to generate a sequence of 
pseudorandom numbers at higher speed or by circui- 
try of snnaller scale while maintaining a degree of se- 
curity the same as that of Equation (B-3). 

Algorithm 4 of the fifth embodiment is as follows: 

[Algorithm 4] 

INPUT yo(=xo). e, N, R 
FOR i = 0 TO s 

yM = R 

F0Rj = kT01 

IF ej = 1 THEN y,^i = Mont(yKi, yi) 
IF j > 1 THEN yM = Mont{y,*i, y^i) 

NEXT 

OUTPUT y^i (= R-(^ ^>-yi« mod N) 
NEXT 

The series y, (i = 0, 1 , 2, ••, s) obtained by exe- 
cuting this algorithm is represented by the following 
using R, which is relatively prime with respect to N: 
yo = Xo mod N (B - 26) 
y, ^ 1 = R - (»- i).y,« mod N (i = 0, 1, 2, -•) (B - 
27) 

In this case, when the sequence Xi (i = 0, 1, 2, •••) gen- 
erated by Equation (B-3) and the sequence yi (i = 0, 
1,2, "•) generated by Equation (B-27) are compared, 
we have 



y, = R* * (1 - O-Xi mod N (i = 0, 1, 2, •••) (B - 
28) 

Here "R**(1- T signifies the (1-eOth p wer of R. 
A pseudorandom generator according to the fifth 
5 embodiment in which equations (*1), ('3) in Algorithm 
2 are eliminated using ai' obtained in accordance with 

a; = Isb(y0(i = 0,1,2. .") (B - 29) 
from yi of Equation (B-27) as a cryptologically secure 
sequence of pseudorandom numbers. 
10 In terms of security, this case also can be said to 

be the same as that in which equation ('3) in Algo- 
rithm 2 is eliminated. The series yi (i = 0, 1 , 2, obtained 
by Equation (B-27) are values obtained by multiplying 
the series xj (i = 0. 1 , 2, • •). which is obtained by Equa- 
ls tion (B-3). by the constant R**(1-e'*i) and taking the 
residue at N [see Equation (B-28)]. 

Accordingly, if it is very difficult to obtain b| = Isb 
(xt) from Xhi, then it will also be very difficult to obtain 
a,' = Isb (y,) { = lsb((R * * (1 - e' * mod N) ) 
20 from 

yi*i(= (R* •(1-e'*i).x,.i)modN), 
which is the result of multiplying Xh-i by the constant 
R**(1-e^*i) and taking the residue modulo N. In other 
words, since ai' is a hard core bit of y^i. the security 
25 of pseudorandom number generatton using Equa- 
tions (B-27) and (B-29) also is the same as that of 
pseudorandom number generation using Equation 
(B-3). 

A flowchart for executing Algorithm 4 will now be 
30 described with reference to Fig. 12. 

Values of yo, e, N, s and R are entered at step 
S200. Here s is the number of repetitions of the resid- 
ual operation. 

A counter i of repetitions of the residual operation 
35 first is initialized to "0" at step S201. Whenever this 
step is entered, the counter i is incremented and proc- 
essing proceeds to the next step. The count-up oper- 
ation is performed up to s. 

Next, at step S202, R is substituted for y^i. 
40 This is followed by step S203, at which a bit poin- 

ter j for pointing to each bit of e is first set at k. Here 
k is the bit length of e and is assumed to be set in ad- 
vance. Whenever this step is entered, a bit pointer] 
is decremented and processing proceeds to the next 
45 step. The countdown proceeds to 1. 

At step S204, it is determined whether the j-th bit 
e] designated by the bit pointer j is "1" or not. If the bit 
ej is "r. the program proceeds to step S205, the op- 
eration Mont (yKi, yi) is performed and the result is set 
so as yni. If the bit ej is "0", the program proceeds to step 
S206. 

It is determined at step S206 whether the bit poin- 
ter j is greater than "r or not. If j is not greater than 
"r, th n the program proceeds to step S208. If j is 
55 greater than or equal to "1", the program proceeds to 
step S207, the operation "Mont (y^i. yn-i)" is Per- 
formed and the result is set as yn-i. 

Next, at step S208, it is determin d whether the 
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bit pointer j is a value in the interval "k - 1". If j is a 
value in this interval, then the program returns to the 
residual processing from st p S203 nward. If j is out- 
side this interval, then the program proceeds t step 
S209. 5 

At step S209. Vhi (i = 0, 1, 2. •) is stored in a 
memory device or the like. 

Next, at step S210, it is determined whether the 
counter i is a value in the interval "0 - s". If i is a value 
in this interval, then the program returns to modular w 
multiplication from step S201 onward and the next re- 
sidual processing operation is performed. If i is out- 
side this interval, then residual processing is termin- 
ated. 

Fig. 13 is a diagram showing the configuration of is 
a pseudorandom number generator 183 according to 
the fifth embodiment of the present invention. The 
pseudorandom number generator 183 has a modular 
exponentiation arithmetic unit 180 and a logical oper- 
ation unit 1 81 . The modular exponentiation arithmetic 20 
unit 180, which executes processing in accordance 
with Algorithm 4, has an input buffer 184 whose in- 
puts are the initial value yo, N. which is the modulus 
of the residual operation, the arbitrary constant R, 
which is a relatively prime number with respect to N, 25 
and the power e. These inputs are made using the 
keyboard 11 . Upon receiving the values of the inputs 
N. R, yo and e from the input buffer 184, a Montgonv 
ery operation unit 185 perfonms an operation corre- 
sponding to the following equation to successively ob- 30 
tain a sequence of numbers y^ (i = 0, 1 , 2, • *). namely 

y, ♦ 1 = R - - D yjo mod N (i = 0. 1, 2. " ) (B - 
30) 

where 35 
N = p.q 

p, q are prime numbers 

e: an arbitrary constant which satisfies e ^ 2 
It should be noted that p, q are assumed to have been 
set in advance and that N (= p-q) is assumed to have 40 
been computed in advance. The actual operational 
method used by the Montgomery operation unit 185 
is not one in which the al)ove equation is computed 
directly. Rather, the unit 185 applies the Montgomery 
method and performs an operation based upon 45 
equivalent equations indicated by Equations (B-7) 
(B-9). 

More specifically, the operation Mont (u,v) based 
upon the Montgomery method used in Algorithm 4 
performs the operations of Equations (B-7) — (B-9) 50 
mentioned above. 

Since N is an odd number, R and N are relatively 
prime integers if R 2^ holds (where t is an arbitrary 
integer). In this case, division by R and a residual op- 
eration are essentially unnecessary operations and 55 
Mont (u.v) can be computed at high speed by multi- 
plication and addition. Accordingly, a modular expo- 
n ntiation operation capabi of being implemented 



by repeated perations based upon the Montgomery 
method can be performed at high speed as well. 

In a modular exponentiation operation. Algorithm 
4 is ex cuted.Theinputs to the input buff r 184 of the 
modular exponentiation arithmetic unit 180 are the 
initial value yo (=Xo). the power e, the modulus N of the 
operation, the constant R and the number s of repeat- 
ed operations with respect to i. An output unit 187 of 
the modular exponentiation arithmetic unit 180 suc- 
cessively outputs yKi (i = 1, s). The modular expo- 
nentiation arithmetic unit 180 includes the input buf- 
fer 184, a decision unit 186, the Montgomery opera- 
tion unit 185. a memory 188 and an output unit 187. 
The operating procedure of the modular exponentia- 
tion arithmetic unit 1 80 will now be described. 

(1) First, yo = (xo). e. n, R. s are fed into the input 
buffer 184, whence e, s are input to the decision 
unit 186. The latter separates e into k bits of [6^. 
©k-i. "• ©2* ©i]- Furthermore, i = 0. j = k are set in 
two counters with respect to i, j provided in the de- 
cision unit 1 86. The values of R. N fed in the input 
buffer 184 are set in the Montgomery operation 
unit 185, and the initial value yo and yi = R of the 
Montgomery operation are held in the memory 
188. 

(2) With respect to i = 0, j = k. the decision circuit 
renders the decisions ej = 1. j > 1 and outputs an 
address signal to the memory 188 in dependence 
upon the decisions. The memory 188 holds yi and 
yt+i. but yt+1 is updated from time to time by the 
output of the Montgomery operation unit 1 85. The 
memory 188 stores the output yj+i of the Mon- 
tgomery operation unit 185 in response to the ad- 
dress signal from the decision unit 186. Further, 
in dependence upon the address signal from the 
decision unit 1 86, the content of the memory 1 88 
is read out and yj+i or yi enters the Montgomery 
arithmetic unit 185. The Montgomery arithmetic 
unit 185 performs the Montgomery operation in 
accordance with the output from the memory 
188. The counter for j in the decision unit 186 is 
decremented by one count and this procedure is 
repeated until j = 0 is attained. 

(3) If j = 0 is established, the decision unit 186 is- 
sues an enable signal to the output unit 187. 
which latches yn-i prevailing at the time of j = 0. 
The output unit 167 outputs the latched y^i as the 
result of the modular exponential operation and. 
at the same time, yi+i is held in the menrwry 188 
as the next input of the Montgomery arithmetic 
unit 185. The counterfor i in the decision unit 186 
is incremented by one count, and steps (2), (3) of 
this procedure are repeated until i = s is attained. 

(4) The procedure is terminated. 

The input buffer 184 is constituted by a register 
for latching and holding ach of the input values yo (= 
Xo), e. N and R. The decision unit 186 can be con- 
structed from a comparator for judging Oj =1 and j > 
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1 , a counter for counting i and j and a logic circuit for 
cutputting an address designating signal and an en- 
able signal. The memory 188 can be a RAM capable 
of being written/read at random, and the output unit 
187 can be a register for latching and holding the out- 
put value of Yki in dependence upon the enable signal 
from the decision unit 186. 

In a case where the means for performing the 
Montgomery method is constituted by hardware, the 
basic components are an adder, a multiplier and a 
shifter which performs a bit shift in order to innple- 
ment a modular multiplication operation based upon 
R. Furthemrrore, use can be made of a Montgomery 
arithmetic circuit illustrated in the literature "Expo- 
nential Algorithm and Systolic Array Using the Mon- 
tgomery Method" (Iwamura, Matsumoto. Imai; Sihin- 
gaku G//IO. vol. 92. No. 134, pp. 49 - 54, 1992). 

The output of the modular exponentiation arith- 
metic unit 180 enters the logical operation unit 181. 
The latter generates and outputs pseudorandom 
numbers from an arbitrary bit (or bits) in a range of 
lower-order log2n (where n represents the number of 
digits of N in binary notation) bits of each of the en- 
tered yi. y2 •". 

The logical operation unit 181 is capable of out- 
putting, as a pseudorandom number, arbitrary bits in 
the range of lower-order log2n bits of each of the en- 
tered yi, y2 •-. For example, all of the lower-order 
log2n bits may be outputted as a pseudorandom nunrv 
ber or only the least significant bit may be outputted 
as a pseudorandom number. 

In a case where the logical operation unit is con- 
stituted by hardware, for example, use can be made 
of a parallel-input, serial-output shift register which 
latches the entered y, (i = 1. 2, -) in parallel and se- 
quentially outputs, in serial fonm, the lower-order 
log2n bits. 

In accordance with the fifth emlx>diment, as de- 
scribed in detail above, use is made of the computa- 
tion procedure of Algorithm 4, which dispenses with 
the processing of equations ("1) and (*3). which are 
necessary in the prior art in Algorithm 2. As a result, 
a sequence of pseudorandom numbers having the 
same degree of security as that of Equation (B-3) can 
be generated at high speed or by circuitry of smaller 
scale. 

In this case, in addition to speeding up the mod- 
ular multiplication operation based upon use of the 
Montgomery method, it is possible to dispense with a 
conversion for inputs and a conversion for obtaining 
an output as is necessary in Algorithm 2. As a result, 
an increase in the speed of overall operation can be 
expected. 

Thus, as described above, generation/reproduc- 
tion of communication data can be generated by the 
method and apparatus of the fifth embodiment 



<Sbcth Embodiment> 

The third through fifth embodiments described 
above illustrate methods of generating pseudoran- 

5 dom numbers by the Montgomery method. In general, 
however, a residual operation can be applied to a 
number C x*», which is obtained by multiplying the re- 
sult x« of a power operation by an arbitrary constant 
C, and pseudorandom numbers can be generated 

10 from prescribed bits of y = C x» mod N obtained as a 
result 

Fig. 14 is a block diagram showing the configur- 
ation of pseudorandom number generator 173 ac- 
cording to the sixth embodiment A modular exponen- 
ts tiation arithmetic unit 170 perfomis the operation, 
which is indicated by the following equation, in the 
form of a chain to generate x,, X2 from the initial value 
Xo, N. which is the modulus of the residual operation, 
and the power e: 
20 x,*i = X|«modN(i = 0, 1,2,.") (6-31) 
where 

N = pq 

p, q are prime numbers 

e (g 2): an arbitrary constant 

25 The modular multiplication unit 1 72 generates yi , 

y2i by performing the following operation: 

y, . 1 = Cx,* 1 mod N (i = 0. 1.2, •••) (B - 32) 
from the input value xi+1 (i = 0, 1, 2. • ■) and N. which 
is the modulus of the residual operation. 

30 The modular exponentiation arithmetic unit 170 

executes Algorithm 1. The inputs to the modular ex- 
ponentiation arithmetic unit 170 are the initial value 
Xo, the power e, the modulus N of the arithmetic op- 
eratton and the number of repetitions s with regard to 

35 i. The modular exponentiation arithmetic unit 170, 
which successively outputs x^+i (i = 0, 1, s), conn- 
prises an input buffer 174. a decision unit 176. a mod- 
ular multiplication unit 175. a memory 178 and an out- 
put unit 177. 

40 The operating procedure of the modular expo- 

nentiation arithmetic unit 170 will now be described. 

(1 ) First. Xo, e, N and s are fed into the input buffer 
174, whence e, s are input to the decision unit 
176. The latter separates e into k bits of [ei^. e^. 

45 ••e2, ei]. Furthermore, i = 0, j = k are set in two 

counters (not shown) with respect to i. j provided 
in the decision unit 176. The values of R, N fed in 
the input buffer 174 are set in the modular multi- 
plication unit 175, and the initial value Xo and x^ 

50 = 1 of the modular multiplication operation are 

held in the memory 178. 

(2) With respect to i = 0 J = k, the decision unit 176 
renders the decisions ej = 1 , j > 1 and outputs an 
address signal to the memory 178 in dependence 

55 upon the decisions. The memory 1 78 holds Xj and 

Xki, but Xh-i is updated from time to time by the 
output of the modular multiplication unit 175. The 
memory 178 stores the output Xj^., of the modular 
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multiplication operation in response to th ad- 
dress signal from the decision unit 176. Further, 
in dep ndence upon the address signal from th 
decisi n unit 176. th content of th mem ry178 
is read out and x^-i or X{ is outputted to the mod- 5 
ular multiplication unit 175. The modular multipli- 
cation unit 175 performs modular multiplication in 
accordance with the output from the memory 
178. The counter for j in the decision unit 176 is 
decremented by one count and this procedure is io 
repeated until j = 0 is attained. 

(3) If j = 0 is established, the decision unit 176 is- 
sues an enable signal to the output unit 177. 
which latches x^^^ prevailing at the time of j = 0. 

The output unit 177 outputs the latched x^i as the is 
result of the modular exponentiation operation 
and, at the same time. X|>i is held in the memory 
1 78 as the next input of the nfKKJular multiplication 
unit 175. The counter fori in the decision unit 176 
Is incremented by one count, and steps (2). (3) of 20 
this procedure are repeated until i = s is attained. 

(4) The procedure is terminated. 

The input buffer 174 Is constituted by a register 
for latching and holding each of the input values xo. 
e. N and s. The decision unit 176 can be constructed 25 
from a comparator forjudging ej=1 and j > 1, a counter 
for counting j and a logic circuit for outputting an ad- 
dress designating signal and an enable signal. The 
memory 178 can be a RAM capable of being written- 
/read at random, and the output unit 1 77 can be a reg- 30 
ister for latching and holding the output value of x^i 
in dependence upon the enable signal from the deci- 
sion unit 176. 

Thus, as set forth above, the modular exponen- 
tiation operation can be realized by repeating modu- 35 
lar multiplication. In a case where the modular multi- 
plication operation by the modular exponentiation op- 
eration unit 170 and modular multiplication unit is Im- 
plemented by hardware, for example, it is also possi- 
ble to use a modular multiplication method illustrated 40 
in the literature "Method of Constructing RSA Encryp- 
tion Device by Parallel Processing" (Iwamura. Matsu- 
moto, Imai; Denshi Joho Tsushin Gakkai Ronbun A, 
vol. J75-A. No. 8, pp. 1301- 1311, 1992). 

The output of a modular multiplication unit 172 45 
enters a logical operation unit 171. The latter gener- 
ates and outputs pseudorandom numbers from an ar- 
bitrary bit (or bits) in a range of lower-order log2n 
(where n represents the number of digits of N in bina- 
ry notation) bits of each of the entered yi, y2, so 

The logical operation unit 171 Is capable of out- 
putting, as a pseudorandom number, arbitrary bits In 
a range of lower-order log2n bits of each of the en- 
tered yi, y2, • •. For example, all of the low r-order 
logjn bits may be outputted as a pseudorandom nunrv 55 
ber or only the least significant bit may be outputted 
as a pseudorandom number. 

Thus, as described above, generation/reproduc- 



tion of communication data can be performed at high 
speed using the pseudorandom numbers generated 
by the method and apparatus of this emb diment. 

<Seventh Embodlment> 

As described thus far. pseudorandom numbers 
generated by the method of generating pseudoran- 
dom numbers set forth above is strongly resistant to 
analysis and, as a result, secure, encrypted commu- 
nication can be realized by using these pseudoran- 
dom numbers in encryption. An application in en- 
crypted communication using the random number 
generator of the foregoing embodiments will now be 
described In an encrypted communication network 
based upon encryption (stream encryption) in which 
an exdusive-OR operation is performed, bit by bit. 
between a communication text and random numbers. 

Fig. 15 is a diagram showing a common-key en- 
crypted communication network 130 in which a spe- 
cific and secret encryption key is possessed by the 
subscribers to the network. The subscribers to the 
network are A. B, C, N. A communication network 
134 makes possible communication among the sut>- 
scribers A, B. C. N. Symbols Kab. K^c. - In the cir- 
cles under the subscribers A. B, C, N signify en- 
cryption keys shared by subscribers. For example, 
symbols Kab» K^c. — indicate encryption keys shared 
by subscribers A - B, subscribers A - C, respective- 
ly. 

Fig. 16 is a block diagram showing the construc- 
tion of a communication apparatus which includes an 
encryption device and a decryption device both using 
the random number generator of this embodiment 

In Fig. 16, a random number generator 140 gen- 
erates a sequence of pseudorandom numbers In ac- 
cordance with any of the third through sixth embodi- 
ments described above. Agate 143 outputs the exdu- 
sive-OR between a communication text and a pseu- 
dorandom number outputted by the random number 
generator 140 and delivers the result of this operation 
as an encrypted text. On the other, an input encrypted 
text is applied to a gate 149, which takes the exdu- 
sive-OR between this text and a pseudorandom num- 
ber from the random number generator 140, thereby 
decoding the encrypted text Into a communication 
text. 

Fig. 17 is a diagram showing secret communica- 
tion between A and B in the encrypted communication 
system illustrated in Figs. 15 and 16. 

In Fig. 17, encrypted communication from a re- 
ceiver 145 used by a transmitting party A to a receiver 
146 used by a receiving party B is carried out through 
the following procedure: 

(1 ) The transmitting party A sets all or part of the 
seer t key K^b. which is shared with receiving 
party B. in the random number generator 140 as 
the initial value thereof and generates a random- 
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number sequ nee ki (141). 

(2) An exdusive-OR gat 143 computes, bit by 
bit, th exdusive-OR "mi (-*-) ki" between the ran- 
donrvnumber sequenc k) (141) generated by the 
transmitting party A and a communication text nrii 5 
(142) created in advance, and transmits the re- 
sult, namely an encrypted text q. to the receiver 
146. 

(3) The receiving party B sets all or part of the se- 
cret key Kab. which is shared with transmitting io 
party A, in a random number generator 1 47 as the 
initial value thereof and generates a random- 
number sequence kj. 

(4) The receiving party B takes the exdusive-OR 

"ci (+) k|" between the generated random-number is 
sequence k| and the received encrypted text c^ 
(142) created in advance, whereby the output 
thereof is restored as the communication text mi 
(148). 

In accordance with this procedure, only the legit- 20 
imate receiving party B knows the seCTet key Kab and 
therefore is capable of decrypting the received en- 
crypted text into the original communication text. 
Other subscribers (C — N) do not know the secret key 
used at the time of the encrypted text and therefore 25 
cannot determine the content of the text. Secret conrv 
munication is thus achieved. 

In a portable network in which an encryption key 
is not distributed beforehand as in Fig. 15 but is re- 
quired to be owned jointly by the transmitting and re- 30 
ceiving parties before encrypted communication, it is 
possible to realize encrypted communication through 
the' same procedure if well-known key distribution is 
carried out 

In the encrypted communication network illu- 35 
strated in the seventh embodiment, a specific and se- 
cret key Is shared by the parties transmitting and re- 
ceiving a communication text As a result, the fact that 
an encrypted text can be received and decoded Into 
a meaningful communication text assures the receiv- 4o 
ing party of the fact that the communication text has 
been transmitted from another party possessing the 
key. Accordingly, with the secret communication sys- 
tem according to the seventh embodiment, authenti- 
cation of transmitting and receiving parties in commu- 45 
nicatlon can be performed as well. 

Thus, as described above, generation/reproduc- 
tion of communication data can be performed at high 
speed using the pseudorandom numbers generated 
by the method and apparatus of this embodiment. so 

<Eighth Embodiment> 

In a network of the type in which an encryption 
key is not distributed beforehand as in the seventh 55 
embodiment but is requir d to be owned jointly by the 
transmitting and receiving parties before encrypted 
communication, the well-known Diff ie-Hellman meth- 



od Is available in which the encryption key can b 
shared safely even in a case where communicati n 
takes place over a communication lin that is sus- 
ceptible to wir tapping (W. Diff ie and M.E. Hellman, 
"Directton in Cryptography", IEEE. IT. vol. IT-22, No. 
6, 1 976). The random numbers generated by the third 
through sixth embodiments can be used as the ran- 
dom numbers employed in this method. 

Since the transmitting party and receiving party 
need not possess the same random numbers used in 
this case, the initial value set in the random number 
generators in each party may be any respective val- 
ue. 

In a case where ayptologically secure pseudor- 
andom numbers are generated by the Montgomery 
method in accordance with the embodiment descri- 
bed in detail above, using prescribed bits of yi. ob- 
tained by Equation (B-15) or (B-25), as pseudoran- 
dom numbers makes it unnecessary to perform the 
operation of equation (*3) or equation (•I) and equa- 
tion (*3). which is required in the prior art As a result, 
it is possible to generate pseudorandom numbers 
having a degree of security the same as that of the pri- 
or art at higher speed or with circuitry of smaller scale. 
Further, generation/reproduction of communication 
data can be performed at high speed using the pseu- 
dorandom numbers generated. 

Thus, in accordance with the third through eighth 
embodiments as described above, secure pseudor- 
andom numbers can be generated at higher speed 
and more easily and generation/reproduction of com- 
munication data can be performed at high speed. 

The present invention can be applied to a system 
constituted by a plurality of devices or to an appara- 
tus comprising a single device. Furthermore, it goes 
without saying that the invention is applicable also to 
a case where the object of the invention is attained by 
supplying a program to a system or apparatus. 

As many apparently widely different embodi- 
ments of the present invention can be made without 
departing from the spirit and scope thereof, it is to be 
understood that the invention is not limited to the spe- 
cific embodiments thereof except as defined in the 
appended claims. 



Claims 

1. An encryption apparatus for encrypting data by 
using a result of modular multiplication P = A x B 
X R-1 mod N for input A and B, given odd number 
N, and R which is determined to be a prime num- 
ber with respect to N comprising: 

setting means for determining 2"*^ with re- 
spect to n satisfying N < 2" as parameter R, and 
setting -N-i mod R as parameter N'; 

input means for inputting data A, B, which 
is to be encrypted, under a condition of 0 ^ A, B 
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^2N; 

modular multiplication means f r multiply- 
ing input A and B. and set N\ and outputting lower 
n-t-2 bits of a result of the multiplication A x B x 
N'asM=AxBxN' mod R; and 5 

arithmetic means for computing A B + M N 
and shifting a result of the computation by n+2 
bits to obtain (A x B = M x NyR as P satisfying 0 
^ P < 2N. 

10 

2. An encryption apparatus for encrypting data by 
using a result of modular multiplication Q = A x B 
mod N for input A and B, and given odd number 
N comprising: 

setting means for determining 2"*^ with re- 15 
spect to n satisfying N <2" as parameter R. and 
setting -Nh^ mod R as parameter N\ and setting 
R2 nrKKl N as parameter Rr; 

input means for inputting data A, B, which 
is to be encrypted, under a condition of 0 ^ A, B 20 
<2N; 

first modular multiplication means for mul- 
tiplying input A and B. and set N'. and outputting 
lower n+2 bits of a result of the multiplication Ax 
B X N' as M = A X B X N' mod R; 25 

first arithmetic means for computing.A B + 
M N and shifting a result of the computation by 
n+2 bits to obtain (A x B + M x N)/R as P = A B 
R-^ mod Nl satisfying 0 ^ P < 2N: 

second modular multiplication means for 30 
multiplying P output from said first arithmetic 
means and set Rr and N', and outputting lower 
n+2 bits of a result of the multiplication P x Rr x 
N' as M* = P X Rr X N* mod R; 

second arithmetic means for computing P 35 
X Rr + M' X N and shifting a result of the compu- 
tation by n+2 bits to obtain (P x Rr + M' x N)/R as 
Q = A X B mod N satisfying 0 ^ Q < 2N. 

3. The apparatus according to claim 2, wherein said 40 
first and second arithmetic means have arithmet- 
ic circuits of identical construction and these two 
arithmetic circuits are connected in series. 

4. The apparatus according to claim 2, wherein cir- 45 
cuits used by said first and second arithmetic 
means are identical arithmetic circuits, and said 
apparatus further comprises selecting means for 
selecting, and inputting to said arithmetic cir- 
cuits, the setof data A, B to be encrypted entered so 
by said input means or a set of numerical values 

of the output value P of said arithmetic circuit and 
Rr: 

said first arithmetic means obtaining the 
output value P in response to the data A, B being 55 
inputted to said arithmetic circuit by said select- 
ing means; and 

said second arithmetic means obtaining 



the output value Q in response to the output value 
P, which has been obtained by said first arithmet- 
ic means, and said RR being inputted to said ar- 
ithmetic circuit by said second arithmetic means. 

5. A communication apparatus comprising encrypt- 
ing apparatus as claimed in any preceding claim. 

6. A communication apparatus comprising: 

generating means for generating a se- 
quence of numbers Xi through by the recur- 
rence formula X^i = C Xj^ mod N on the basis of 
a prescribed initial value Xq and prescribed val- 
ues N and C; 

extracting means for extracting a prescri- 
bed portion from the sequence of numbers to 
serve as pseudorandom-number data; and 

communication means for processing 
communication data on the basis of the pseudor- 
andom-number data, encrypting the communica- 
tion data and decoding the communication data. 

7. The apparatus according to claim 6, wherein 
R-i corresponding to an integer R which is a 
prime number with respect to the prescribed val- 
ue N is determined as the prescribed value C. 

8. The apparatus according to claim 7, wherein the 
number-sequence is obtained by performing a re- 
cursive operation in accordance with a following 
recursion formula 

X, ^ , = W + [Xi2.( - N-1 mod R) mod R] N}/R. 

S. The apparatus according to claim 8, wherein 2* 
for an integer t is selected as the integer R and a 
division by R in said recursive operation is per- 
formed by a t-bit shift. 

10. A communication apparatus comprising: 

generating means for generating a se- 
quence of numbers Xi through X^+i by the recur- 
rence formula Xh-i = C X(« mod N on the basis of 
a prescribed initial value XO and prescribed val- 
ues N and C; 

extracting means for extracting a prescri- 
bed portion from the sequence of numbers to 
serve as pseudorandom-number data; and 

communication means for processing 
communication data on the basis of the pseudor- 
andom-number data, encrypting the communica- 
tion data and decoding the communication data. 

11. The apparatus according to claim 10, wherein 
R-1 corresponding to an int ger R which is a 
prime number with respect to the prescribed val- 
ue N is determined as the prescribed value C. 

12. The apparatus according to daim 11, whereinthe 
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number-sequence is obtained by performing a re- 
cursive operation in accordance with a foil wing 
formula 

Q = {u v + Iu v.( - nrwd R) mod R] N)/R. 

5 

13. Decryption apparatus for deaypting data en- 
crypted by encryption apparatus according to 
any one of clainns 1 to 4. 

14. Communication apparatus including decryption io 
apparatus as claimed in claim 13. 

15. An encryption method comprising modular multi- 
plication under the conditions 0 < N < 2", 0 ^ A. 

B < 2N. R = 2"**^ in which a first multiplier per- is 
forms multiplication between input values A and 
B ; a second multiplier performs multiplication 
between the output of the first multiplier and (- 
(N-i mod R)], which is decided by set parameters 
N and R, and outputs M; A third multiplier per- 20 
forms multiplication between the output M and 
the set parameter N and outputs the product M x 
N; an adder adds the output of the first multiplier 
and the output of the third multiplier, and a shift 
register shifts the sum leftward by n+2 bits to 25 
produce an output P = (AxB + Mx N)/R. 
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